Scenario 4-5: Configuring PortFast BPDU Guard

As previously discussed, it is important that you enable PortFast with caution, and only on ports that do not connect to multihomed devices such as hubs or switches. If you follow these rules, a PortFast port should never receive configuration BPDUs. If configuration BPDUs are received by a PortFast port, this reception indicates another bridge is somehow connected to the port, and it means that there is a possibility of a bridging loop forming during the Listening and Learning phases. In a valid PortFast configuration, configuration BPDUs should never be received, so Cisco switches support a feature called PortFast BPDU Guard, which is a feature that shuts down a PortFast-enabled port in the event a BPDU is received. This feature ensures that a bridging loop cannot form, because the switch's shutting down the port removes the possibility for a loop forming.

NOTE

A port that has been shutdown by the BPDU guard feature must be manually re-enabled by an administrator using the no shutdown interface configuration command on Cisco IOS or the set port enable command on CatOS.

If you do not have BPDU Guard configured on a PortFast-enabled port that is receiving configuration BPDUs, the configuration BPDUs are processed by the switch and eventually the port might be shut down to prevent a loop. However, because during this time the switch is forwarding traffic (because PortFast is enabled), a bridging loop might be formed that could bring down the network before the port is blocked.

Enabling PortFast BPDU Guard

On CatOS, the PortFast BPDU Guard feature is disabled by default. It can be enabled or disabled globally for all PortFast ports or explicitly enabled or disabled for each physical PortFast port. To enable or disable PortFast BPDU Guard globally on a CatOS switch, you use the following command:

set spantree global-default bpdu-guard {enable | disable}

To explicitly enable or disable PortFast BPDU Guard for a specific port on a CatOS switch, you use the following command:

set spantree portfast bpdu-guardmod/port {enable | disable | default}

Configuring the default option means that the port inherits the global configuration state of the BPDU Guard feature.

On Cisco IOS, you can configure BPDU Guard only globally, except for IOS 12.1(11b)E and later for native IOS Catalyst 6000/6500 switches, which allow you to configure BPDU guard explicitly on an interface. To enable PortFast BPDU Guard on a Cisco IOS-based switch, you use the following global configuration command:

spanning-tree portfast bpduguard

To disable PortFast BPDU Guard, simply use the no form of the command.

Referring back to Figure 4-26, assume that you need to enable BPDU Guard on Switch-C and Switch-D. Example 4-42 demonstrates enabling PortFast BPDU Guard on Switch-C.

In Example 4-43, if BPDU Guard were not enabled globally, only ports 2/3-48 would have BPDU Guard enabled.

Testing BPDU Guard

To test BPDU Guard, you first incorrectly configure PortFast and BPDU Guard on interface Fa0/3 (connected to Switch-D) of Switch-B in the topology of Figure 4-26. You then configure Switch-D with a priority of 0, which forces it to begin generating configuration BPDUs out the previously blocked port 2/2, because it assumes the root bridge role. Switch-B should hear these configuration BPDUs generated by Switch-D, which will invoke BPDU Guard and shut down interface Fa0/3.

On Switch-B, ensure that PortFast and BPDU Guard are enabled on interface Fa0/3, as shown in Example 4-44.

Example 4-45. Configuring a Priority of 0 on Switch-D

At this stage, Switch-D has a lower bridge ID than the current root bridge (Switch-A) and assumes that it is the root bridge. Switch-D starts sending configuration BPDUs out port 2/2 to Switch-B. On Switch-B, you should see the following console messages:

15:16:21: %SPANTREE-2-RX_PORTFAST: Received BPDU on PortFast enabled port.
Disabling FastEthernet0/3.
15:16:21: %PM-4-ERR_DISABLE: bpduguard error detected on Fa0/3,
putting Fa0/3 in err-disable state
15:16:22: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/3,
changed state to down
15:16:23: %LINK-3-UPDOWN: Interface FastEthernet0/3, changed state to down

Notice that interface Fa0/3 is put into an err-disable state, which means that the interface has been administratively shut down.